Subject: Re: questions on package system
To: Antti Kantee <>
From: Andrew Gillham <>
List: tech-pkg
Date: 03/13/2000 13:40:49
Antti Kantee writes:
> Hmmh, I remember using sup through a firewall once. IIRC sup uses port
> 871 and is quite strict about it. If you can trick it somehow, this
> shouldn't be a problem. I had something like the following:
> localhost:871 -> outsidefirewall:80
> outsidefirewall:80 -> supserver:871
> The downside is that it requires one box outside the firewall for
> redirect. And of course the firewall has to be a fly-through one, not a
> proxy thingie.

Ok, information is power.  So they say.

If you want to "tunnel" a full ip stack, do the following:
1. Hack the 'socket' command to always connect to your proxy
   server at port XXX and issue: (and read the response)
   "CONNECT <the remote machine>:443 HTTP/1.0\n\n"

This is easy, though I don't have diff's as I haven't updated to
use the latest IPv6 socket patches.

2. Install a server out on the Internet with 'sshd -p 443' running.

3. Use 'ssh-ip-tunnel' on both ends, adding the following to .ssh/config.
	Host my.tunnel.server
		ProxyCommand /path/to/socket my.tunnel.server 8080

Then 'ssh my.tunnel.server' should work, by connecting via "HTTPS" support
on your proxy.  After this, ssh-ip-tunnel will give you a full IP stack
outside, and inside.  You've just totally defeated your very expensive
firewall and overpaid security administrators. :-)  Until they block your
site at the proxy, (moving target), or make the proxy verify there is SSL
on the HTTPS link. (then you get a SSL version of socket or something)

Anyway, if you have a machine inside *and* outside, you will pretty much
always have whatever access you want if your company/school/whatever allows
HTTPS CONNECT commands.  Most everyone does, or e-commerce would be DOA.

I have a hacked version of socket that uses the following syntax:
	% socket -t <remote host> <your proxy> <your proxy port>

This always connects to <remote host> port 443, which things like Squid
consider to be "safe ports" for CONNECT support.
This 'socket' is 5642 bytes gzipped, so I can send it to someone if they
want it, otherwise I have my sources around somewhere.

Andrew Gillham                            | This space left blank                     | inadvertently.
I speak for myself, not for my employer.  | Contact the publisher.